Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 17:43
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20230220-en
General
-
Target
sample.exe
-
Size
194KB
-
MD5
76bea7506af30bdecc70c3d361819f28
-
SHA1
4a07972df9558c3bcfc932997d86453d9006ddbb
-
SHA256
06c73da1c0fdbb10efa56ee3a0fb13685c4b395e4aa9008024c657601f3960b3
-
SHA512
9815ab55d978a0c1974b29c82eff2b69d770a77fbbf157d8b3df807f31393de4f3a980460e24e4b2f62628ab36de95caf79e28fc0b21e9684e01762433549e30
-
SSDEEP
3072:euK0THf52i3H3bvOoAtLYJTlG/OwWREQjd2x:euK+cC3bjAaTc
Malware Config
Extracted
asyncrat
0.5.7B
Azazel
azazelxd.duckdns.org:5555
127.0.0.1:5555
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1208-133-0x0000000000870000-0x00000000008A6000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\svchost.exe asyncrat C:\Users\Admin\AppData\Roaming\svchost.exe asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sample.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation sample.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1252 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1240 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
sample.exepid process 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe 1208 sample.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
sample.exesvchost.exedescription pid process Token: SeDebugPrivilege 1208 sample.exe Token: SeDebugPrivilege 1252 svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
sample.execmd.execmd.exedescription pid process target process PID 1208 wrote to memory of 4744 1208 sample.exe cmd.exe PID 1208 wrote to memory of 4744 1208 sample.exe cmd.exe PID 1208 wrote to memory of 4744 1208 sample.exe cmd.exe PID 1208 wrote to memory of 4776 1208 sample.exe cmd.exe PID 1208 wrote to memory of 4776 1208 sample.exe cmd.exe PID 1208 wrote to memory of 4776 1208 sample.exe cmd.exe PID 4776 wrote to memory of 1240 4776 cmd.exe timeout.exe PID 4776 wrote to memory of 1240 4776 cmd.exe timeout.exe PID 4776 wrote to memory of 1240 4776 cmd.exe timeout.exe PID 4744 wrote to memory of 840 4744 cmd.exe schtasks.exe PID 4744 wrote to memory of 840 4744 cmd.exe schtasks.exe PID 4744 wrote to memory of 840 4744 cmd.exe schtasks.exe PID 4776 wrote to memory of 1252 4776 cmd.exe svchost.exe PID 4776 wrote to memory of 1252 4776 cmd.exe svchost.exe PID 4776 wrote to memory of 1252 4776 cmd.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp981E.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp981E.tmp.batFilesize
151B
MD5cb783381fdf1b836c489328454808fa6
SHA12921f8abfbbe00e413987292c8c162d055032569
SHA25679dd2c983731b3c1740bc449d2660b023e31dc6f56b786abd912d0250be0a92d
SHA512dea9089a45db9c3ff52844b33f2aa38db9db256ede5d1cd91c44b7b899c94748153f5b705dbcfbe6b610595b31980028c71f47c6fa9803952548cb8e7c4cfc87
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
194KB
MD576bea7506af30bdecc70c3d361819f28
SHA14a07972df9558c3bcfc932997d86453d9006ddbb
SHA25606c73da1c0fdbb10efa56ee3a0fb13685c4b395e4aa9008024c657601f3960b3
SHA5129815ab55d978a0c1974b29c82eff2b69d770a77fbbf157d8b3df807f31393de4f3a980460e24e4b2f62628ab36de95caf79e28fc0b21e9684e01762433549e30
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
194KB
MD576bea7506af30bdecc70c3d361819f28
SHA14a07972df9558c3bcfc932997d86453d9006ddbb
SHA25606c73da1c0fdbb10efa56ee3a0fb13685c4b395e4aa9008024c657601f3960b3
SHA5129815ab55d978a0c1974b29c82eff2b69d770a77fbbf157d8b3df807f31393de4f3a980460e24e4b2f62628ab36de95caf79e28fc0b21e9684e01762433549e30
-
memory/1208-133-0x0000000000870000-0x00000000008A6000-memory.dmpFilesize
216KB
-
memory/1208-134-0x0000000005340000-0x0000000005350000-memory.dmpFilesize
64KB
-
memory/1208-135-0x0000000005350000-0x00000000053EC000-memory.dmpFilesize
624KB